1. Laboratório do Curso de Segurança Ofensiva
Scanning de Portas e Gerador de pacotes
1. NMAP
Opções Básicas
-sT = Scaneia portas apenas do protocolo TCP.
-sU = Scaneia portas apenas do protocolo UDP.
-sS = Scaneia usando pacotes tcp com o flag SYN ativado.
-sA = Scaneia usando pacotes tcp com o flago ACK ativado. Ótimo para
burlar a segurança de programas firewalls e descobrir suas regras de
filtragem.
-sP = Scan de ping. Varre uma grande faixa de ips usando mensagens icmp
echo request para determinar os hosts ativos("alive") na(s) rede(s).
-P0 = Não disparar o ping em scans. Serve para scannear máquinas que
bloqueiam tráfego do protocolo icmp.
-O = Finger printing. Usado para obter informações remotas sobre o
sistema operacional da vitima.
-sV = Obtém informações do tipo de serviço rodando em uma porta
específica que esteja aceitando conexões. Essa opção é muito útil para
saber se é uma versão antiga que possa ser remotamente explorada com o
uso de exploits para invasão do sistema ou outros objetivos.
-p = Especifica uma faixa de portas, ou uma única porta de serviço a ser
scaneada.
Ver:
http://www.vivaolinux.com.br/artigos/impressora.php?codigo=13548
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
1
2. Sem parâmetros
root@bt:~# nmap
Nmap 5.61TEST4 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Arquivos importantes em /usr/local/share/nmap
Escanear 172.16.50.40 (Windows2003-XAMP-ENG)
root@bt:~# nmap 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 17:48 BRT
Nmap scan report for 172.16.50.40
Host is up (1.0s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
1025/tcp open NFS-or-IIS
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 94.39 seconds
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
2
3. Banners
root@bt:~# nmap -sV 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:21 BRT
Nmap scan report for 172.16.50.40
Host is up (0.00077s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp
FileZilla ftpd 0.9.32 beta
80/tcp open http
Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k
mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
135/tcp open msrpc
Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12
OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open msrpc
Microsoft Windows RPC
3306/tcp open mysql
MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 13.70 seconds
detecção de S.O
root@bt:~# nmap -O 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:20 BRT
Nmap scan report for 172.16.50.40
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
3
4. Ping em rede
root@bt:~# nmap -sP 172.16.49.0/24
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:13 BRT
Nmap scan report for 172.16.49.1
Host is up (0.00025s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 172.16.49.2
Host is up (0.00027s latency).
MAC Address: 00:50:56:F3:86:20 (VMware)
Nmap scan report for 172.16.49.130
Host is up.
Nmap scan report for 172.16.49.254
Host is up (0.00025s latency).
MAC Address: 00:50:56:E2:64:64 (VMware)
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.19 seconds
root@bt:~#
Subir o serviço SSH no firewall na porta 60000
- editar arq /etc/ssh/sshd.conf e rebootar serviço
root@ubuntu:~# more /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 60000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
root@ubuntu:~# /etc/init.d/ssh restart
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service ssh restart
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the restart(8) utility, e.g. restart ssh
ssh start/running, process 10398
root@ubuntu:~# netstat -natp | grep ssh
tcp
0 0 0.0.0.0:60000
0.0.0.0:*
LISTEN 10398/sshd
tcp6
0 0 :::60000
:::*
LISTEN 10398/sshd
root@ubuntu:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
4
5. Realizar scaneamento normalmente
root@bt:~# nmap 172.16.49.100
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:32 BRT
Nmap scan report for 172.16.49.100
Host is up (0.00040s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
3128/tcp open squid-http
8888/tcp open sun-answerbook
MAC Address: 00:0C:29:FB:E5:B6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
root@bt:~#
Realizar scaneamento em todas as portas
root@bt:~# nmap -p 1-65535 -sV 172.16.49.100
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:34 BRT
Nmap scan report for 172.16.49.100
Host is up (0.00075s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp
vsftpd 2.3.0
80/tcp open http
Apache httpd 2.2.16 ((Ubuntu))
3128/tcp open http-proxy Squid webproxy 3.1.6
8888/tcp open http-proxy Tinyproxy 1.8.2
60000/tcp open ssh
OpenSSH 5.5p1 Debian 4ubuntu6 (protocol 2.0)
MAC Address: 00:0C:29:FB:E5:B6 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
Nmap done: 1 IP address (1 host up) scanned in 123.86 seconds
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
5
6. Scanning UDP
root@bt:~# nmap -sU -vv -p1-200 172.16.50.20
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 23:57 BRT
Initiating Ping Scan at 23:57
Scanning 172.16.50.20 [4 ports]
Completed Ping Scan at 23:57, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:57
Completed Parallel DNS resolution of 1 host. at 23:57, 0.05s elapsed
Initiating UDP Scan at 23:57
Scanning 172.16.50.20 [200 ports]
Discovered open port 123/udp on 172.16.50.20
Discovered open port 137/udp on 172.16.50.20
Completed UDP Scan at 23:57, 1.25s elapsed (200 total ports)
Nmap scan report for 172.16.50.20
Host is up (0.0041s latency).
Scanned at 2012-06-25 23:57:10 BRT for 1s
Not shown: 196 closed ports
PORT STATE
SERVICE
123/udp open
ntp
137/udp open
netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
Raw packets sent: 206 (6.089KB) | Rcvd: 199 (11.364KB)
Scanear uma porta
root@bt:~# nmap -p T:139 172.16.50.20-40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:00 BRT
Nmap scan report for 172.16.50.20
Host is up (0.0021s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap scan report for 172.16.50.40
Host is up (0.0032s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap done: 21 IP addresses (2 hosts up) scanned in 2.69 seconds
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
6
7. Grepable - facilita a manipulação
root@bt:~# nmap -p T:139 172.16.50.20-40 -oG smb.txt
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:04 BRT
Nmap scan report for 172.16.50.20
Host is up (0.0018s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap scan report for 172.16.50.40
Host is up (0.0012s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Nmap done: 21 IP addresses (2 hosts up) scanned in 2.64 seconds
root@bt:~# ls
Desktop lab_bash-script lab_DNS output.txt rota.sh smb.txt teste.txt teste.txt~
root@bt:~# more smb.txt
# Nmap 5.61TEST4 scan initiated Tue Jun 26 00:04:24 2012 as: nmap -p T:139 -oG smb.txt
172.16.50.20-40
Host: 172.16.50.20 () Status: Up
Host: 172.16.50.20 () Ports: 139/open/tcp//netbios-ssn///
Host: 172.16.50.40 () Status: Up
Host: 172.16.50.40 () Ports: 139/open/tcp//netbios-ssn///
# Nmap done at Tue Jun 26 00:04:27 2012 -- 21 IP addresses (2 hosts up) scanned in 2.64
seconds
root@bt:~# grep open smb.txt
Host: 172.16.50.20 () Ports: 139/open/tcp//netbios-ssn///
Host: 172.16.50.40 () Ports: 139/open/tcp//netbios-ssn///
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
7
8. Scripting engine (4.2)
- brute force
- info gather
- vulnerability scaning
- etc
Diretório de Configuração - /usr/local/share/nmap/scripts/
ver smb-enum-users.nse (procurar por usage)
root@bt:/usr/local/share/nmap/scripts# more smb-enum-users.nse
Credit goes out to the <code>enum.exe</code>, <code>sid2user.exe</code>, and
<code>user2sid.exe</code> programs.
The code I wrote for this is largely based on the techniques used by them.
]]
---- @usage
-- nmap --script smb-enum-users.nse -p445 <host>
-- sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
root@bt:/usr/local/share/nmap/scripts#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
8
9. Enumerar Usuários do Windows 2000
root@bt:# nmap --script smb-enum-users.nse -p139 172.16.50.50
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:22 BRT
Nmap scan report for 172.16.50.50
Host is up (0.011s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| smb-enum-users:
| WIN2KSQL01Administrator (RID: 500)
| Description: Built-in account for administering the computer/domain
| Flags:
Password does not expire, Normal user account
| WIN2KSQL01backup (RID: 1006)
| Full name: backup
| Flags:
Password does not expire, Normal user account
| WIN2KSQL01Guest (RID: 501)
| Description: Built-in account for guest access to the computer/domain
| Flags:
Password not required, Password does not expire, Account disabled, Normal
user account
| WIN2KSQL01IUSR_SRV2 (RID: 1002)
| Full name: Internet Guest Account
| Description: Built-in account for anonymous access to Internet Information Services
| Flags:
Password not required, Password does not expire, Normal user account
| WIN2KSQL01IWAM_SRV2 (RID: 1003)
| Full name: Launch IIS Process Account
| Description: Built-in account for Internet Information Services to start out of process
applications
| Flags:
Password not required, Password does not expire, Normal user account
| WIN2KSQL01sqlusr (RID: 1005)
| Full name: sqlusr
| Flags:
Normal user account
| WIN2KSQL01TsInternetUser (RID: 1000)
| Full name: TsInternetUser
| Description: This user account is used by Terminal Services.
|_ Flags:
Password not required, Password does not expire, Normal user account
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
root@bt:#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
9
10. Verificar Vulnerabilidades SMB
root@bt:~# nmap -v --script=smb-check-vulns 172.16.50.40
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:31 BRT
NSE: Loaded 1 scripts for scanning.
Initiating Ping Scan at 00:31
Scanning 172.16.50.40 [4 ports]
Discovered open port 135/tcp on 172.16.50.40
Discovered open port 21/tcp on 172.16.50.40
Discovered open port 443/tcp on 172.16.50.40
Discovered open port 80/tcp on 172.16.50.40
Discovered open port 3306/tcp on 172.16.50.40
Discovered open port 1025/tcp on 172.16.50.40
Discovered open port 445/tcp on 172.16.50.40
Discovered open port 3389/tcp on 172.16.50.40
Discovered open port 139/tcp on 172.16.50.40
Completed SYN Stealth Scan at 00:31, 1.34s elapsed (1000 total ports)
NSE: Script scanning 172.16.50.40.
Initiating NSE at 00:31
Completed NSE at 00:31, 0.08s elapsed
Nmap scan report for 172.16.50.40
Host is up (0.0014s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3306/tcp open mysql
3389/tcp open ms-term-serv
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Testar o uso de todos os scripts
nmap --script=all 172.16.50.50 (anon ftp, smb users , password policy,
netbios vulnerabilidade etc)
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
10
11. 2. HPING3 (gerador de pacotes)
root@bt:~# hping3 -c 1 -V -I eth0 -1 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): icmp mode set, 28 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44550 tos=0 iplen=28
icmp_seq=0 rtt=0.9 ms
--- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.9/0.9/0.9 ms
root@bt:~#
-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet
root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): S set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44554 tos=0 iplen=44
sport=80 flags=SA seq=0 win=64240 rtt=3.1 ms
seq=3096103240 ack=1389621577 sum=dcf8 urp=0
--- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.1/3.1/3.1 ms
root@bt:~#
-s = source port
-p = destination port
-S = set the SYN flag in the packet
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
11
12. No flags
root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44559 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=1.4 ms
seq=0 ack=1775632469 sum=4d67 urp=0
--- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.4 ms
root@bt:~#
Flag FIN set
root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): F set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44566 tos=0 iplen=40
sport=53 flags=RA seq=0 win=0 rtt=1.5 ms
seq=0 ack=2031154861 sum=d561 urp=0
--- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.5/1.5/1.5 ms
root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -F 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): F set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44567 tos=0 iplen=40
sport=80 flags=RA seq=0 win=0 rtt=1.4 ms
seq=0 ack=2070067822 sum=a79b urp=0
--- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.4/1.4/1.4 ms
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
12
13. ACK set
root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 172.16.50.40
using eth0, addr: 172.16.49.130, MTU: 1500
HPING 172.16.50.40 (eth0 172.16.50.40): A set, 40 headers + 0 data bytes
len=46 ip=172.16.50.40 ttl=127 id=44571 tos=0 iplen=40
sport=80 flags=R seq=0 win=0 rtt=6.7 ms
seq=120690317 ack=120690317 sum=b96 urp=0
--- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.7/6.7/6.7 ms
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
13